diff options
| author | emaste <emaste@FreeBSD.org> | 2018-03-28 13:41:43 +0000 |
|---|---|---|
| committer | emaste <emaste@FreeBSD.org> | 2018-03-28 13:41:43 +0000 |
| commit | 70103ce46f7a4f1731900e377c671246f9cbd0a8 (patch) | |
| tree | 97aae3d334a2dbf05dbf5b34622e40862b2a478c | |
| parent | 7ff6ea0d3119854fae9c76bb6e4b318fe0f0a5a7 (diff) | |
| download | FreeBSD-src-70103ce46f7a4f1731900e377c671246f9cbd0a8.zip FreeBSD-src-70103ce46f7a4f1731900e377c671246f9cbd0a8.tar.gz | |
MFC r331329: Fix kernel memory disclosure in ibcs2_getdents
ibcs2_getdents() copies a dirent structure to userland. The ibcs2
dirent structure contains a 2 byte pad element. This element is never
initialized, but copied to userland none-the-less.
Note that ibcs2 has not built on HEAD since r302095.
Submitted by: Domagoj Stolfa <ds815@cam.ac.uk>
Reported by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Security: Kernel memory disclosure (803)
Sponsored by: The FreeBSD Foundation
| -rw-r--r-- | sys/i386/ibcs2/ibcs2_misc.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/sys/i386/ibcs2/ibcs2_misc.c b/sys/i386/ibcs2/ibcs2_misc.c index c166d78..637aa54 100644 --- a/sys/i386/ibcs2/ibcs2_misc.c +++ b/sys/i386/ibcs2/ibcs2_misc.c @@ -330,6 +330,7 @@ ibcs2_getdents(struct thread *td, struct ibcs2_getdents_args *uap) #define BSD_DIRENT(cp) ((struct dirent *)(cp)) #define IBCS2_RECLEN(reclen) (reclen + sizeof(u_short)) + memset(&idb, 0, sizeof(idb)); error = getvnode(td, uap->fd, cap_rights_init(&rights, CAP_READ), &fp); if (error != 0) return (error); |
